Class: Dawn::Kb::OwaspRorCheatSheet::SessionStoredInDatabase

Inherits:
Object
  • Object
show all
Includes:
PatternMatchCheck
Defined in:
lib/dawn/kb/owasp_ror_cheatsheet/session_stored_in_database.rb

Constant Summary

Constants included from PatternMatchCheck

PatternMatchCheck::EXCLUSION_LIST

Constants included from BasicCheck

BasicCheck::ALLOWED_FAMILIES

Instance Attribute Summary

Attributes included from PatternMatchCheck

#attack_pattern, #attack_pattern_is_regex, #avoid_comments, #negative_search, #root_dir

Attributes included from BasicCheck

#applies, #aux_links, #check_family, #cve, #cvss, #cwe, #debug, #evidences, #fixes_version, #kind, #message, #mitigated, #name, #osvdb, #owasp, #priority, #release_date, #remediation, #ruby_version, #ruby_vulnerable_versions, #severity, #status, #target_version, #title

Instance Method Summary collapse

Methods included from PatternMatchCheck

#must_exclude?, #vuln?

Methods included from BasicCheck

#applies_to?, #cve_link, #cvss_score, families, #family, #family=, #lint, #mitigated?, #nvd_link, #osvdb_link, #rubysec_advisories_link

Methods included from Utils

#__debug_me_and_return, #debug_me, #debug_me_and_return_false, #debug_me_and_return_true

Constructor Details

#initializeSessionStoredInDatabase

Returns a new instance of SessionStoredInDatabase.


8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
# File 'lib/dawn/kb/owasp_ror_cheatsheet/session_stored_in_database.rb', line 8

def initialize
  message = "By default, Ruby on Rails uses a Cookie based session store. What that means is that unless you change something, the session will not expire on the server. That means that some default applications may be vulnerable to replay attacks. It also means that sensitive information should never be put in the session."

  super({
    :name=>"Owasp Ror CheatSheet: Session management",
    :kind=>Dawn::KnowledgeBase::PATTERN_MATCH_CHECK,
    :applies=>["rails"],
    :glob=>"session_store.rb",
    :aux_links=>["https://www.owasp.org/index.php/Ruby_on_Rails_Cheatsheet"],
    :message=>message,
    :attack_pattern => ["Application.config.session_store :active_record_store", "Rails.application.config.session_store ActionDispatch::Session::CacheStore"],
    :negative_search=>true,
    :avoid_comments=>true,
    :check_family=>:owasp_ror_cheatsheet,
    :severity=>:info,
    :evidences=>["In your session_store.rb file you are not using ActiveRecord to store session data. This will let rails to use a cookie based session and it can expose your web application to a session replay attack."],
    :mitigation=>"Use ActiveRecord or the ORM you love most to handle your code session_store. Add \"Application.config.session_store :active_record_store\" to your session_store.rb file."
  })
  # @debug = true
end